PRIVACY DECLARATION FOR
FUJIFILM Healthcare Europe

Date of Release: July 1, 2021

1.1. The FUJIFILM group of companies operates websites in various countries. Joint-controller of all websites are (i) FUJIFILM Healthcare Europe Holding AG, Sumpfstrasse 13, CH - 6312 Steinhausen, Switzerland, e-mail cdp_hce@fujifilm.com and (ii) the respective country company indicated below. Where no joint controller is indicated, FUJIFILM Healthcare Europe Holding AG is controller:

1.2. The FUJIFILM companies above and any of their affiliates are individually and collectively referred to as “HCE”. In case of doubt, the term “HCE” or “we” or “us” refers to the controller or joint-controller of the Website you are visiting.

1.3. This Privacy Declaration applies also to eventual HCE brand pages on third party platforms (e.g. Facebook) and eventual HCE mobile applications (the above mentioned websites, HCE mobile applications and eventual HCE brand pages on third party platforms hereafter individually and collectively referred to as “Websites”). It also applies where you have been directed to this website following agreeing to allow HCE to process your personal data for a particular purpose.

1.4. Your legal relationship is with the HCE entity which is controller respectively joint-controller of the Website you are visiting and/or through which you contact us, unless specifically stated otherwise elsewhere.

This Privacy Declaration, including any privacy terms referenced herein, any of them as amended from time to time (“Privacy Declaration”), together with the Cookie Policy, are the basis on which any data, including personal data, we collect from you or which you as an internet user, prospect, customer, partner, agent, distributer, supplier, visitor of our onsite premises, participant or trainer of trainings provided by us, attendee of a seminar or webinar provided by us, or a visitor to one of stands/booths at a congress or educational event (virtual or in person), will be processed by us. The Privacy Declaration towards our employees is governed by their employment agreement. If you are a candidate for prospective employment with us, you must use our e-recruitment tool, which is subject to a separate Privacy Declaration.

3.1. Our Data Protection Officer / Data Protection Team can be contacted by post or via email at privacyoffice_eu@fujifilm.com.

3.2. You have the right to lodge a complaint with a competent supervisory authority in accordance with the applicable laws if you consider that the processing of personal data relating to you infringes your rights. For this purpose, you can contact in particular the supervisory authority in the EU Member State of your habitual residence or the place of the alleged infringement. For the EU, a list of the national Data Protection Authorities can be found at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For Switzerland, you can contact the Federal Data Protection and Information Commissioner at https://www.edoeb.admin.ch. For the UK, you can contact the Information Commissioner’s Office (ICO) at https://ico.org.uk.

4.1. We undertake that the data we receive and/or collect from you is processed in accordance with applicable law and only for the purposes stated in this Privacy Declaration or elsewhere explicitly notified to you (e.g. in mobile app terms).

4.2. Provision of personal data is voluntary; however, without providing us certain data you cannot receive certain services from us or purchase products from us.

4.3. We do not entrust, sell, rent, license, transfer etc. our database containing your personal data, except as set out in this Privacy Declaration.

We will not collect and use your personal data without your consent, except where we may lawfully collect and use your information on one of the following bases:

• where processing is necessary to perform a contract between you and us or in order to take steps at your request prior to entering into a contract;
• where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, where those legitimate interests are not overridden by your rights or interests;
• occasionally, to protect your vital interests or those of others (such as where there is a risk of imminent harm);
• occasionally, where necessary in the public interest, or to comply with a legal obligation, a court order, or to exercise and defend legal claims.

6.1. We may collect and process the following general data about you:

• information which you provide when you contact us by any means of communication in particular name/surname and contact details;
• information which you provide by filling in any of our contact or other forms on our Website in particular name/surname and contact details;
• data which you provide during a sales or purchase or service process, in particular name/ surname, contact details, billing address, delivery address;
• information which you provide us in the context of entering and / or performing a contract with us, in particular, in addition to the above, your company’s contact person, flags for security trade control, payroll information;
• information which you provide us when you participate in an event, a congress, a training, or a competition or promotion sponsored or organised by us or one of our affiliates;
• information which you provide us when registering or attending a symposium or event organized or promoted by us or one of our affiliates;
• information which you provide us if you decide to participate in and complete surveys;
• information which you provide when registering in our visitors book;
• information which we receive from third parties in connection with our business activities, for example from congress operators;
• Information which we receive from you surfing on our Website.

6.2. Other data (special categories of personal data): We may additionally collect, use and process other data as further set in this Privacy Declaration or as named below:

• payment data (bank information, debit and credit card information) which you provide to us for a payment;
• patient data in the unlikely event our customer (e.g. physician, hospital) did not delete patient data when we support and maintain the products.

7.1. Subject to the conditions of lawful processing set out in this Privacy Declaration, we may use your personal data outlined above for the following purposes.

a) Based on processing for contract performance or prior to it:

• Carry out our obligations arising from any contract entered into between you and us;
• Contacts for business negotiations, meetings and communication with a customer or supplier;
• Offering transactions, products or services to you which may be of interest to you, as further set out in this Privacy Declaration;
• Delivery of after-sales service on products, and sending information on events and new products;
• Measures to control and optimise business processes and to fulfil general duties of care, including control and supervision of affiliated companies (e.g. by parent company);
• Support and maintain our products in the context of the contract, where our customer (e.g. physician, hospital) needs to ensure, that we do not have access to any patient data;
• Response to various inquiries from current, prospect or former customer or supplier;
• Ensure that the content of our Website is presented to you in the most effective manner;
• Customize the future purchasing experience for you;
• Marketing analysis and statistical research for internal needs of HCE of your website visit;
• Provide you with products or services that you request from us;
• Send you notifications, e.g. regarding changes to our set of terms and conditions;
• Ensuring good quality customer services;
• Logging eventual consent form your side;
• Safeguarding our rights and claims.

b) Based on the legitimate interests pursued by the controller or by a third party:

• Statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, accounting and tax assessment of operational performance, risk management;
• Ensuring IT security (including system and plausibility tests) and general security, including building and facility security, securing and exercising house rights (e.g. through access controls); guaranteeing the integrity, authenticity and availability of data, prevention and investigation of criminal offences; control by supervisory bodies or control bodies (e.g. auditing);
• Development of services and products as well as existing systems and processes;
• Disclosure of personal data within the scope of a due diligence in company sales negotiations;
• Comparison with European and international anti-terrorist or export control lists to the extent this goes beyond the legal obligations;
• Enhancement of our data, including through the use or research of publicly accessible data or acquisition of public available data through third parties;
• Statistical evaluations or market analysis as well as benchmarking;
• Assertion of legal claims and defence in legal disputes which are not directly attributable to a contractual relationship;
• Limited storage of data, if deletion is not possible or only possible with disproportionate effort due to the special type of storage;
• Development of scoring systems or automated decision-making processes;
• Prevention and investigation of criminal offences, if not exclusively for the fulfilment of legal obligations;
• Internal and external investigations, safety reviews;
• Monitoring or recording of telephone conversations for quality control and training purposes;
• Preservation and maintenance of certifications (e.g. ISO certifications) of a private-law or official nature;
• Securing and exercising property rights through appropriate measures as well as through video surveillance to protect our customers and employees and to secure evidence in the event of criminal offences and their prevention.

c) Based on your consent:

Your personal data may also be processed for certain purposes with your consent. As a rule, you can revoke this at any time. We especially process your data based on your consent in the following contexts:

• Provide you with information that you request from us;
• Advertising or market and opinion research, as long as you have not objected to the use of your data;
• Sharing your personal data with FUJIFILM companies or FUJIFILM distributors in your resident country and with FUJIFILM Healthcare Corporation in Japan who may also share your personal data with FUJIFILM companies or FUJIFILM distributors in your resident country.

In principle, the revocation of consent is only effective for the future. Processing that took place before the revocation is not affected and remains lawful.

d) For the fulfilment of a legal duty such as:

• Identity and age verification;
• Fraud and money laundering prevention;
• Compliance with European and international export control lists;
• Fulfilment of tax law control and reporting obligations;
• Archiving of data for data protection and data security purposes as well as verification by tax and other authorities;
• For the purposes of taking evidence, prosecution or enforcement of civil law claims.

Insofar as this is required for the distribution and sale of our products and the provision of our services or the conduct of our business, we process personal data received from other companies or other third parties (e.g. credit agencies, address publishers) as permitted. In addition, we process personal data which we have legitimately taken, received or acquired from publicly accessible sources (such as telephone directories, trade and association registers, registration registers, debtor registers, land registers, press, Internet and other media).

9.1. When visiting our Website certain information is temporarily stored in a log-file on the server. Such information is automatically provided by the browser of your end use device when accessing our Website. It may in particular include but is not limited to:

• IP address;
• Details of your visits, including for example date and time of access;
• Name and URL of the resource of file which you access;
• Website from which you access our Website (referrer URL);
• Browser type and version and other information provided by your browser (such as operating system of your device, name of your access-provider, geographical origin, language settings etc.).

9.2. We may use such information for the following purposes:

• System administration, security and stability;
• Statistics (e.g. create reports on an aggregate basis such as statistical data about our visitors’ browsing actions and patterns);
• Further administrative purposes; and/or
• Fraud protection and other security purposes, for example if the behaviour on or access to our Website by you or from your device harms the interests or causes any damage to HCE or third parties with which HCE collaborates.

We use cookies (session cookies and permanent cookies) and website analytics tools on our website which are subject to our additional Cookie Policy.

11.1. When you provide us personal data and/or contact information (through our Website or at an event or congress), you agree (subject to your right to refuse or revoke your consent according to the relevant section below) that we may send you newsletters, messages and other alerts by mail, e-mail, short messages (SMS), push notifications or phone. Such communications are sent, amongst others, with or without human interference for purpose of direct marketing or advertising similar products or services offered by HCE.

11.2. We reserve the right (i) to choose whom to send newsletters, messages and/or alerts to and (ii) to remove in our databases of customers or prospective customers anyone as addressee of newsletters, messages and/or alerts, even if such person has given consent to receive such communications; both (i) and (ii) without any further commitment on behalf of HCE or of further notice.

We may process some of your data with the aim of evaluating certain personal aspects (profiling). In order to be able to provide you with targeted information and advice on products, we may use evaluation instruments. These enable demand-oriented product design, communication and advertising, including market and opinion research. Such procedures can also be used to assess your solvency and creditworthiness and to combat money laundering and fraud.

13.1. The data that we collect from you may be processed in, transferred to, and/or stored at a location inside the European Economic Area ("EEA"), European Union (“EU”) or Switzerland.

13.2. The data that we collect from you may also be processed in, transferred to and stored at a location outside the EEA, EU and Switzerland, subject to us having taken all steps required by the applicable laws relating to the transfer of personal data abroad eg. Japan, where FUJIFILM Healthcare Corporation is located. In any case we ensure that adequate safeguards are in place as required by applicable laws before we transfer, store or locate your data abroad.

14.1. The data that we collect from you may be processed by staff who work for us, our affiliates from the HCE group or one of our or our affiliates’ third party service providers. Such staff may be engaged in, among other things, the operation of the Website, the sales of products, the fulfilment of your order, the processing of your payment details or the provision of support services.

14.2. We may disclose and/or transfer your personal data to any of our affiliates, which means any member of the HCE group of companies as well our direct, indirect and ultimate holding company and their subsidiaries, in the event we reorganise the way in which we provide services to you and such data transfer or disclosure is required to provide or continue to provide services to you.

14.3. We may disclose your data to third party service providers (i) to implement our obligations which we have to you, including but not limited to delivery of ordered products by a courier, sending postal mail, e-mail, SMS or push notifications, or (ii) which provide services to us or our affiliates, such as data analysis, marketing assistance, advertising services, translation, payment processing, logistic or customer support services, consulting, audit or legal services, or generally in relation with the purposes as described in the section “purpose of processing your data”. Such disclosure is permitted provided that such third parties need access to the data to perform their services but may not use them for other purposes, in particular not for their own internal business purposes and they have adequate data security measures in place.

14.4. If you provide any payment data directly to us (including bank account in case of a product return), we will disclose it to third party payment service providers to the extent required to provide refund or payment to you.

14.5. Your bank, credit card or debit card issuer and a third party payment service provider may have access or view any data or documents related to your order or purchase contract.

14.6. We may further disclose your data to third parties and subject to the provisions of applicable law:

• In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
• If the controller of the website or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;
• If we are under a duty to disclose or share your personal data in order to comply with any legal, regulatory or court obligation;
• In order to enforce or apply our Privacy Declaration, Terms of Use and other agreements or to protect the rights, property or safety of us, our customers, or others including debts collection; or
• As otherwise provided in this Privacy Declaration.

15.1. The rights of the persons concerned are governed by the applicable national and international law. Depending on the applicable law, the persons concerned may assert the following rights:

a) to request transparent information about your personal data processed by us. In particular, information pursuant to Art. 15 GDPR or Art. 8 DPA (CH) which may contain information on:

• confirmation from us whether your personal data is or is not being processed;
• purpose of the processing and the justification reason;
• category of personal data;
• the categories of recipients to whom your information has been or will be disclosed;
• the planned storage time;
• the existence of a right to rectification, cancellation, restriction of processing or opposition;
• the existence of a right of appeal;
• the origin of your data, as far as these were not collected with us;
• the existence of automated decision making, including profiling and, where appropriate, meaningful information on its details; for the time being, we do not use purely automated decision-making procedures. If we should nevertheless use such a procedure in individual cases in the future, we will inform you of this separately, provided that this is legally prescribed;
• right to request information about the source from which we obtained your personal data for processing.

b) to demand immediate correction of incorrect or complete personal data stored by us (Art. 16 GDPR, Art. 5 para. 2 DPA (CH)).

c) to demand the deletion of your personal data stored with us, unless the processing is (Art. 17 GDPR, Art. 15 DPA (CH))

• necessary in relation to the purposes for which they were collected or otherwise processed;
• based on another legal ground than consent and/or processed lawfully;
• based on dominant private interest and such domination could be demonstrated to the data subject;
• subject of a legal hold or legal compliance.

d) to demand the restriction of the processing of your personal data (i) if you dispute the accuracy of the data, (ii) if the processing is unlawful, but you oppose the erasure and you request the restriction of use instead, (iii) if we no longer need the data, but you need it to assert, exercise or defend legal claims or (iv) if you have filed an objection against the processing pursuant to Art. 21 GDPR (Art. 18 GDPR, Art. 15 DPA).

e) to receive your personal data that you have provided to us in a structured, current and machine-readable format or to request its transfer to another person responsible (Art. 20 GDPR).

f) to revoke your consent to this Privacy Declaration, and/or request deregistration and deletion from our Website (in case of RSS Feed) or by unsubscribing to our newsletter. Such revocation of consent will neither apply to existing transactions between us nor to processing activities that were not subject to your consent, e.g. in case of our prevailing legitimate interest that we have in the processing of the data.

g) to object at any time to the processing of your data where the processing is for the performance of a task carried out in the public interest (Art. 6 lit. e GDPR) or on the basis of legitimate interests pursued by the controller or a third party (Art 6 lit. f GDPR), if there are reasons for this arising from your particular situation. This also applies to profiling. If you object, we will no longer process your personal data, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims (Art. 21 GDPR).

h) to object at any time to our processing of your personal data for direct marketing purposes; you have the right to object to receiving advertising; this applies also to profiling, insofar as it is connected with such direct advertising.

15.2 Where you want to make use of any of such right, please address your request in writing (e-mail or signed and dated letter) or form-free to the Customer Service at the address indicated on our Website.

Data is stored for the following periods:

• Data processed based on statutory grounds, for the duration of the legal retention obligation period;
• Data processing which is necessary for the performance of a contract, for the duration of the contractual relationship and at maximum for ten years following termination of the contractual relationship, unless there is a legal hold;
• Data processed in order to protect our legitimate interests may be processed at a maximum for ten years following termination of any legal relationship, unless there is a legal hold;
• Job application documents, if no employment contract was concluded, will be deleted and/or destroyed six months after the start of the successful candidate;
• Information that is no longer necessary and for which there is no legal retention obligation will be destroyed after the purpose and justification becomes invalid;
• We never store patient data.

17.1. We undertake to have appropriate technical and organisational measures in place to keep your data secure and to be able to comply with the commitments provided in this Privacy Declaration and all requirements of applicable law.

17.2. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to and from our Website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

17.3. We are not responsible for damages incurred which are outside our reasonable control, including malfunctions that could jeopardize the security of the servers on which the database containing personal data is hosted.

17.4. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. You (only and exclusively) bear full responsibility for sharing your data with third parties. Please use a password, which is not trivial and do update it on a regular basis.

We do not assume any responsibility if you are misled by non-authorized third parties that present themselves as representatives of HCE. Please inform us if you become aware of such behaviour by any third party.

This Privacy Declaration and all matters arising or relating to these terms shall be governed by the law of the country of the controller as outlined in section 3 above. The courts of that same country shall have exclusive jurisdiction to settle any disputes, which may arise out of or in connection with these Privacy Declaration. The competent Supervisory Authority for any Data Protection issues is outlined in section 3.